1．Identifying Situations Where Personal Data Should Be Used Without Consent

The Act on the Protection of Personal Information (APPI) in Japan has traditionally relied on a consent-based framework, focusing on the specification of the purpose of use, restrictions on use beyond that purpose, and regulations on third-party provision. However, a growing number of cases have emerged in which necessary services and social activities are being hindered due to the inability to utilize personal data within this consent-centric framework.

For example, the following cases highlight this issue:
(1)  Disaster Prevention
Even in disaster prevention and response—where saving lives is the highest priority—municipalities have faced uncertainty regarding the handling of personal data. As a result, guidelines were established to clarify the use of personal data during both emergencies and routine disaster preparedness, without requiring individual consent[1].Nonetheless, these guidelines do not address unexpected use cases, and their Q&A section continues to be updated to clarify increasingly technical and detailed interpretations[2].

(2)  Healthcare, Nursing Care, and Public Health
In the fields of healthcare, nursing care, and public health—which directly concern individuals' lives and physical well-being—data use remains limited both for primary use (e.g., treatment of individuals) and secondary use (e.g., research not targeting specific individuals). Despite growing efforts, it has been noted that data use in both contexts remains considerably restricted[3].

(3)  Development of Foundational Registries for Corporations and Real Estate
In efforts to develop base registries for corporate and real estate registration information, the Digital Agency's administrative reform task force has conducted several discussions on how such initiatives intersect with personal data protection regulations[4].

(4)  Anti-Money Laundering and Counter-Terrorism Measures
Under the 2022 amendments to the Payment Services Act, licensed exchange transaction analysis entities are now authorized to jointly conduct transaction monitoring across deposit-taking institutions. However, even for this purpose, personal data must be received via delegation from each institution, and combining data from multiple institutions for analysis requires individual consent. The legal framework has been designed accordingly[5].Further discussions have acknowledged the need to facilitate broader data sharing in the future.[6].

As seen in the above examples, it is increasingly evident that obtaining individual consent in every case is often impractical due to various reasons specific to each sector. While there are indeed situations where consent-based frameworks are appropriate and necessary, it may no longer be viable to insist on consent as the default approach. Instead, it would be more constructive to develop new protective mechanisms that serve as alternatives to consent.

This proposal seeks to revisit the fundamental purpose of the APPI, reflect on the significance of individual consent and the positioning of the Act, and advocate for a legal framework that allows for the appropriate use of personal data to help resolve pressing social issues in Japan.

2．Purpose of the Act on the Protection of Personal Information (APPI)

The APPI aims not only to protect “the rights and interests of individuals” but also to ensure the utility of personal information. Regarding the latter, the Basic Outline at the time of the APPI’s enactment notes that "the circulation, accumulation, and use of large volumes of diverse personal information through the use of information and communication technologies enable businesses to more accurately reflect individual needs and provide timely services, making such information indispensable for both economic activity and daily life." This dual purpose was further clarified in the 2015 amendment to the APPI[7].Similarly, the GDPR also includes provisions concerning the utility of personal data in its Recital (6), Article 1(1) and (3), and Article 85.

However, the relationship between the protection of “the rights and interests of individuals” and utility under the APPI is not clearly defined. One interpretation prioritizes the protection of individuals’ rights and interests as the most important purpose[8], while another suggests that “the protection of such rights and interests should not always be superior to utility, and that the optimal balance between the two should be examined on a case-by-case basis”[9]. If the latter view is adopted, the APPI may be less effective as a legal guideline when businesses attempt to weigh the utility of data against individuals’ rights and interests in making business decisions.

Moreover, the meaning of “rights and interests” itself—which is one side of this balancing act—may be ambiguous. The APPI, since its enactment, has lacked clear articulation of what kind of institutional framework it seeks to establish. Although the protection of “the rights and interests of individuals” is stated as a purpose (Article 1), this does not equate to a “right to privacy” or a “right to control personal information.” One of the drafters of the APPI noted that “the term ‘rights and interests of individuals’ refers to the full range of personal rights and property interests that may be infringed depending on how personal information is handled, as stated in the Basic Outline. While privacy is a major example, it is not the only one. Since the content and legal effect of the right to privacy are unclear, codifying it directly into the statute would not be appropriate from the perspective of establishing a clear and stable legal framework”[10].

On the other hand, it may be argued that the APPI substantively introduces a control mechanism over personal data through its requirements regarding consent, disclosure, and other provisions on the use of personal data for unintended purposes or third-party provision. However, it is also a fact that the APPI’s text does not use the phrase “right to control personal data”[11].

The fact that the APPI’s stated purpose is not privacy per se, but the broader protection of “the rights and interests of individuals,” has been positively evaluated as suitable for today’s context, in which the scope of harms from inappropriate handling of personal data has dramatically expanded to include property interests and beyond[12]. Nevertheless, such broadly framed language raises the concern that it could encompass anything and everything. If so, this ambiguity may also hinder the APPI from functioning effectively as a general statute governing data protection.

3．The Significance of Consent in the Handling of Personal Data

The Act on the Protection of Personal Information (hereinafter “APPI”) establishes a foundational framework to support the minimum necessary regulations and voluntary initiatives of personal information-handling business operators in the advanced information and communications society, with the aim of preventing violations of individuals’ rights and interests in advance through the proper handling of personal data[13]. In other words, APPI seeks to prevent violations of rights and interests by setting out rules on the proper handling of personal data, and ensures the effectiveness of those rules through oversight by the Personal Information Protection Commission. One of the core rules provided under APPI is the concept of “data subject consent.”

“Data subject consent” refers to an expression of intent by the individual consenting to the handling of their personal data in the manner specified by the personal information-handling business operator[14]. Under APPI, the requirement of consent appears in several provisions, including Article 18, Paragraphs 1–3, Item 2 (limitations on purpose of use); Article 20, Paragraph 2 (acquisition of sensitive personal information); Article 27, Paragraph 1 (restrictions on third-party provision); Article 28, Paragraphs 1 and 2 (restrictions on provision to third parties in foreign countries); Article 31, Paragraph 1 (restrictions on provision of personally referable information to third parties); Article 69, Paragraph 2 (restrictions on use and provision); and Article 71, Paragraphs 1 and 2 (restrictions on provision to third parties in foreign countries). Moreover, consent requirements appear in various forms in sectoral guidelines such as the Financial Guidelines, Credit Guidelines, and Medical and Nursing Care Guidelines.

Although consent is positioned as the core rule ensuring the proper handling of personal data, its significance merits reconsideration. It is generally understood as a means of protection—i.e., that personal data must not be used without consent. However, such an interpretation implies that once consent is obtained, data handlers may act without restriction, thus potentially protecting businesses rather than data subjects. In reality, consent often functions as a form of risk acceptance or waiver by the individual. The ongoing debate over how consent should be obtained underscores this understanding of consent as a mechanism for accepting risk. If consent is merely one way to allocate risk, the focus should shift to who bears the risk, what the risks are, and how those risks are controlled. This raises the possibility of creating legal frameworks that regulate data use in a supervisory or protective manner where higher levels of risk are involved, and of supplementing—or even substituting—consent with alternative tools such as privacy-enhancing technologies (PETs). Reasonable risk control, rather than “data subject consent” alone, should become the core principle of rules governing the proper handling of personal data.

This more nuanced view—one that does not treat consent as absolute—is already present in other jurisdictions. For example, although the GDPR recognizes privacy as a fundamental right (Article 1), it does not regard consent as the sole legitimate basis for data processing[15]. The GDPR assumes that data subjects are not always capable of fully bearing the risks involved and therefore adopts a proportionality-based approach, weighing the fundamental right to data protection against the appropriateness and legitimacy of data utilization (Recital 4). Under this approach, legislative bodies are initially responsible for determining whether risk control is reasonable, with judicial review playing a secondary role if necessary. The American Data Privacy and Protection Act (ADPPA) similarly requires that personal data of minors under 17 may not be provided to third parties without explicit consent.

4．Positioning of the Act on the Protection of Personal Information (APPI)

Although the current APPI is positioned as a general law, it does not clearly articulate universally applicable principles[16]. However, if we understand that the core of the rules governing the proper handling of personal information lies in the rational control of risk, the role of the APPI becomes more clearly defined. For example, the law could mandate that businesses prepare appropriate measures to ensure rationalization of risks, and when they intend to engage in practices that deviate from the norm, they would instead be required to bear accountability through explanations.

Such a framework could establish the rationalization of risk as a generally applicable principle. Building on that foundation, sector-specific laws and guidelines (GLs) can further refine and implement the principle, taking into account differences in data types, technologies, industries, and operational models. If the general law (APPI) sets forth what constitutes reasonable risk management to some degree, and individual laws or GLs explicitly adapt those principles to each sector, the legal framework surrounding personal information protection can achieve overall consistency and coherence.

5．Conclusion and Outlook for Future Discussions

Through discussions among the expert members of the Policy Research Institute, a shared understanding has emerged that, even at the international level—including within the EU and the United States—no universally effective regulatory framework has yet been established for the appropriate use of personal information as an alternative to consent. While various potential approaches—such as risk-based regulation, strengthening of ex-post controls, and enhanced powers of supervisory authorities—have been explored in foreign legal systems, no definitive consensus has been reached to date.

At the same time, as discussed in Chapter 1, it has become increasingly evident that there are growing numbers of scenarios in which the use of personal information is essential—without which important social challenges cannot be adequately addressed. This proposal, recognizing the timing of the triennial review of Japan’s Act on the Protection of Personal Information (APPI), argues for the necessity of initiating a fundamental reexamination of the mechanisms used to safeguard individuals.

The Institute aims to continue its deliberations on this topic in the coming year and beyond, and to examine more concrete regulatory strategies—potentially including sector-specific or domain-specific approaches—as part of ongoing efforts to identify optimal legal and policy frameworks.

End.

[1] Cabinet Office, Disaster Management: "Guidelines on the Handling of Personal Information in the Field of Disaster Management" (March 2023).https://www.bousai.go.jp/taisaku/kojinjyouho/pdf/shishin.pdf
[2] See the Cabinet Office’s official webpage related to the "Guidelines on the Handling of Personal Information in the Field of Disaster Management":https://www.bousai.go.jp/taisaku/kojinjyouho/shishin.html
[3] Cabinet Office, Council for Regulatory Reform, Opinion on Legal Framework Development for the Utilization of Medical and Related Data (June 1, 2023), p.3.https://www8.cao.go.jp/kisei-kaikaku/kisei/publication/opinion/230601_general16_02.pdf
[4] Digital Agency, Working Group of the Provisional Administrative Research Council, from the 17th meeting (December 7, 2022) to the 24th meeting (September 20, 2023):https://www.digital.go.jp/councils/administrative-research-wgand the first meeting (November 22, 2023) of the successor body, the Council for Digital System Reform:https://www.digital.go.jp/councils/digital-system-reform/4502f325-1144-466d-847c-72ec3890645e Note: The Personal Information Protection Commission also participated in discussions during these meetings.
[5] See Articles 63-23 and following of the 2022 amendment to the Payment Services Act.
[6] Financial Services Agency, Report by the Working Group on Payment Services, Financial System Council (January 11, 2022), pp. 11–12.https://www.fsa.go.jp/singi/singi_kinyu/tosin/20220111/houkoku.pdf Particularly in Note 40, it is noted that:

“There was a suggestion that, from the perspective of advancing AML/CFT while considering personal information protection, it would be necessary to identify the personal information that needs to be shared among banks, and to continue discussions on establishing a legal framework for such sharing through a common institution.”
[7] According to the drafters, the wording added in the 2015 amendment merely clarified the examples of “usefulness of personal information” already included in the original Act and did not alter its original purpose. See Kazuhisa Uryu (ed.), Q&A on the 2015 Amendment of the Act on the Protection of Personal Information (Shojihomu, 2015), p. 9.
[8] Katsuya Uga, New Article-by-Article Commentary on the Act on the Protection of Personal Information (Yuhikaku, 2021), p. 48.
[9] Hisamichi Okamura, Act on the Protection of Personal Information, 4th ed. (Shojihomu, 2022), p. 60.
[10] Itsuo Sonobe (ed.), Commentary on the Act on the Protection of Personal Information (Gyosei, 2003), pp. 43–44.

At the time of the enactment of the former Act on the Protection of Personal Information Held by Administrative Organs (the predecessor to the current APPI), the former Management and Coordination Agency explained that privacy was not explicitly mentioned in the law for the following reasons:

(1) The protected legal interest under the law was not intended to be privacy rights in general as a specific legal right;

(2) Some aspects of privacy—such as peeping in real life—are unrelated to electronic processing of personal data and fall under other legal frameworks such as torts under the Civil Code;

(3) Since the scope of privacy is broad, relative, and difficult to define consistently, it is an abstract and polysemous concept. Therefore, protecting it under a single statute is both theoretically and practically impossible. Attempting to do so would result in vague and general provisions, and ultimately the substantive content would be determined by specific rights and regulations;

(4) Abstract and general rights are unnecessary for protecting the rights and interests associated with the handling of personal information.

See Management and Coordination Agency, Article-by-Article Commentary on the Act on the Protection of Personal Information (Daiichi Hoki, 1991), p. 42.

In Diet deliberations at the time of the APPI’s enactment, the government emphasized (3) above as part of its official position. While the importance of the term “privacy” seems to have increased during the 2015 amendment deliberations, the government’s position from the time of the original and predecessor law has essentially been maintained (see remarks by Minister Shunichi Yamaguchi, House of Councillors Committee on General Affairs, May 26, 2015, No. 9).
[11] During Diet deliberations on the enactment of the APPI, the government explained:

(1) The concept of the “right to control personal information” had not been clearly established and was ambiguous;

(2) No examples exist of foreign laws explicitly using the term “right to control personal information” in their texts;

(3) Recognizing a right to control all information related to oneself could lead to misunderstanding or overreach, and potentially conflict with other principles such as freedom of expression;

(4) The law already incorporates specific provisions ensuring individual involvement, so there was no issue.

See statements by Minister Hirotaka Hosoda and Cabinet Secretariat Deputy Director Akio Fujii, House of Representatives Special Committee, April 14 and 15, 2003 (No. 2 and No. 3 sessions).
[12] Okamura, supra note (3), p. 56.
[13] IT Strategic Headquarters, Expert Committee on the Legal Framework for Personal Information Protection, Outline of the Basic Legal Framework for the Protection of Personal Information (October 11, 2000), p. 20.
[14] Guidelines on the Act on the Protection of Personal Information (General Rules Edition), Section 2-16.
[15] Under the GDPR, lawful bases for processing personal data include:

① the data subject’s consent;

② processing necessary for the performance of a contract;

③ processing necessary for compliance with a legal obligation;

④ processing necessary to protect the vital interests of the data subject or another natural person;

⑤ processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority; and

⑥ processing necessary for the purposes of the legitimate interests pursued by the controller or a third party, subject to consideration of:

(1) the legitimacy of the controller’s interest,

(2) the impact on the data subject,

(3) the provisional balance between the two, and

(4) the controller’s additional measures to prevent excessive impact on the data subject (Article 6(1), GDPR).
[16] At the time of its initial drafting, there was a reluctance to adopt a general law on personal information protection for the private sector. Instead, a sectoral approach, similar to that of the United States—where specific laws are developed for each area to implement concrete measures for personal information protection—was envisioned. The Interim Report of the Subcommittee on the Protection of Personal Information noted: “Because the ways and degrees of personal information use in the private sector vary widely by field, it is essential to fully leverage the advantages of approaches tailored to the characteristics of use in each field, such as public involvement through individual laws or voluntary regulations within the private sector.”

However, the Act on the Protection of Personal Information (APPI), which was subsequently enacted, came to serve as the general law for personal information protection in the private sector (and following the 2021 amendment, as the de facto general law for personal information protection overall). The legislative outline stated: “This outline seeks to establish the principles that form the foundation for the proper handling of personal information, encourage voluntary efforts by those handling personal information, and clarify the framework for the government’s comprehensive initiatives. In addition, it introduces minimal necessary rules for certain business operators who use personal information—primarily through information and communications technology—and places primary responsibility on the operators themselves to protect personal information properly, while also providing mechanisms for limited individual involvement and oversight through directions and instructions by the relevant ministers.”

Consequently, in cases where the APPI cannot adequately address specific issues, or where applying the APPI would not be appropriate, individual laws have come to be required.